The JIRA implementation used to store login details is not thread safe.

When a user logins or fails to login JIRA updates a number of attributes that are stored in the CWD_USER_ATTRIBUTES table. Because of the SPI contract multiple values may be stored against any attribute and JIRA handles this situation by deleting all the values associated with this user_id attribute_name pair and then inserting the new values.

This behaviour not thread safe and when same user (or more typically a bot) logs in multiple times concurrently, can result in multiple rows beig stored for each attribute and for counts, e.g. login.count, being either incorrect or randomly reset to zero.